#+SETUPFILE: ../../../template/level-2.org
#+TITLE: Phishing Using Let's Encrypt
#+DATE: <2017-03-26 Sun 12:43>
#+AUTHOR: vaeringjar
#+EMAIL: vaeringjar@land
#+DESCRIPTION: Let's Encrypt SSL Certificates Issued to Phishing Sites
#+KEYWORDS: ities security phishing


* Post

/[[https://www.bleepingcomputer.com/news/security/14-766-lets-encrypt-ssl-certificates-issued-to-paypal-phishing-sites/][14,766 Let's Encrypt SSL Certificates Issued to PayPal Phishing
Sites]]/

I see this like any other technological advance. People start driving
cars? So do criminals. But until mass production, some tech has lower
market accessibility. The fact that it went from costing money to
gratis is just accessibility like buying cosmoastronaut ice cream at
the science museum gift shop; eventually at that food becomes a fad or
in some other speciality store.

However, the one thing that makes this different, is that unlike
registering your car VIN, plate number, or driver license, these fraud
paypal websites literally have "paypal" etc in the name of the domain.
All Let's Encrypt has done is to expose a major flaw at or downstream
in the issuance of domain names. Not that I suggest outlawing strings;
someone might well register "reasons-to-not-use-paypal.com". The
problem comes from domains such as "yes-definitely-paypal.com". But
again, you can search for it. 35000 fake paypal domains with LE certs
in two years turns into about 100 per day, mean, or from the graphic,
5101 in Feb 2017, or roughly 182.

Totally manageable with a two person team.

- Task, temporarily, a human on manually checking.
- Task another human to automate as much of the work as
  possible. Either just dumb string search flags or AI assistance.
